logo
TitanHQ

TitanHQ Blog

Cryptojacking Malware Injected into Pirated Games

Posted by Trevagh Stankard on Thu, Jul 22nd, 2021

For several months, cryptocurrency is booming. Prices have been skyrocketing, and this means that it’s valuable to legitimate users and hackers. To make money on their exploits, hackers added malware to pirated games. The malware, named Crackonosh, uses user computer resources to generate cryptocurrency for the attacker. Users are warned not to use pirated software, but many users disregard warnings and download pirated software without thinking of the consequences.

Tampered Popular Games Mine Monero

When attackers add their own malware, they often take legitimate games and wrap the installation with their own code. The installer adds the legitimate software, but it also adds malware that runs in the background. With Crackonosh, the installer adds a mining application named XMRig. The mining application is legitimate, but the method to use it is not.

The XMRig application uses computer resources to mine the popular cryptocurrency Monero. It’s hidden in popular games such as Grand Theft Auto V, NBA 2K19, and Pro Evolution Soccer 2018. Researchers found that the malware was downloaded mainly from forum websites, but it can be hosted anywhere on the internet.

Mining millions in cryptocurrency takes more than one computer, so attackers spread the malicious executable files to as many users as possible. It’s estimated that 222,000 devices are infected as of December 2020, and attackers have reaped a little more than $2 million in the Monero cryptocurrency.

The most affected region is the Phillippines, Brazil, India, Poland, the US, and the UK.

Mode of Infection and Disabling Antivirus

Malware distributed in this method usually starts with what looks like a legitimate installer program. With Crackonosh, the installer program points to a file named maintenance.vbs, which is a custom script that starts the installer that then, in turn, executes the file serviceinstaller.exe. The XMRig software installs using the final serviceinstaller.exe executable by downloading it from the internet.

As with most malware, Crackonosh has different variants to avoid detection from antivirus software, but it also makes attempts to disable antivirus applications running on the device. If the device runs Windows, then the malware attempts to disable Windows Defender, which is the anti-malware application included with the operating system.

Crackonosh not only disabled antivirus and Windows Defender, it creates and stores an icon in the Windows system tray to trick users into thinking their antivirus system is still running. It also disables any automatic updates so that the anti-malware system cannot be re-enabled.

Preventing Crackonosh on Your Computer

Although Crackonosh is spread mainly on internet forums, it can be spread in any way an attacker can get users to run the fake installer. It can be sent in a malicious email, included in document macros, and linked in other messages. Because the malicious software is hidden in pirated content, it’s mainly spread on forums that offer links to distributed cracked software.

Crackonosh uses resources whether it’s a private or business device. Individuals could see a higher electric bill when XMRig runs continuously on devices in the home, but businesses could suffer the most if several machines fall victim to the malware. Because antivirus is disabled, then administrators would not be aware of the device being compromised.

Administrators can block malicious executables that could contain Crackonosh in two ways: block content from being accessed based on DNS and domain lookups, and filtering suspicious emails using cybersecurity filters. Cybersecurity filters are the best way to block malicious email messages. These systems detect numerous attacks such as phishing, spoofed headers, links to attacker-controlled sites, and malicious attachments. All the aforementioned attacks could be used to spread Crackonosh to business devices.

Content filters also help fight malware. Content filters based on DNS lookups blocks user browsers from accessing the site. Should an attacker bypass email filters, the web content filters would disallow access to the site should the user fall for the attack and click a link to a forum hosting the Crackonosh malware or any other malicious programs that could cause damage to a local device.

Both cybersecurity defenses work well together to stop access to malicious programs from accessing user devices. Users should always be trained to avoid sites that download pirated software, but using cybersecurity defenses to block malicious emails and websites adds a layer of protection to the user device and the entire network environment.

User training is still necessary, but email and web content cybersecurity are necessary to help stop human error. You can’t completely reduce all risks, but you can add layers of cybersecurity that will help protect devices.

Get ahead of the ever-evolving threat landscape and become bulletproof with TitanHQ layered security. WebTitan DNS Filter eliminates malicious content at the source and SpamTitan Email Protection blocks 99.9% of spam, phishing, spoofing, malware, ransomware and other email threats. Start Free Trial today and see results in less than 1 hour.

Never Miss a Blog Post

Sign-up for email updates...

Get Your 30 Day FREE Trial
TitanHQ

Talk to Our Email and DNS Security Team

Call us on USA +1 813 304 2544 or IRL +353 91 545555

Contact Us